INDEX 293
parsing engines, for browsers, 70n
Partial Content status code (206), 54
partly restricted URL scheme, 188
passive multimedia, CSP directive for, 243
password
in credentials portion of URLs, 26
form-based managers, 227–229
methods for passing, 63
Path parameter, for cookie, 61
path value, for cookie, 149–150
payload inspection, by Internet
Explorer, 202
PDF documents130–131
percent encoding, 31
percent sign (%), for character
encoding, 31
per-host connection limit, 216
period (.), hostnames with, and cookie-
setting algorithms, 159
permissions, browser- and plug-in-
managed, 226–227
permitted-cross-domain-policies parameter,
for crossdomain.xml file, 162
persistent workers, for background
processes, 258
Petkov, Petko D., 131
phishing, 176n
plaintext
converting HTML to, 85
as file format, 117–118
for HTTP session information, 64
<plaintext> tag (HTML), 72
Platform for Privacy Preference (P3P), 193
plug-ins, 10–11
ActiveX, 129, 136–137
Adobe Flash. See Adobe Flash
application frameworks as basis, 131–136
content, 83
for content rendering, 127–138
CSP directive for, 243
document rendering helpers, 130–131
invoking, 128–130
Microsoft Silverlight, 119, 134, 157
for PDF documents, 130–131
perils of content-type handling, 129–130
protocols claimed by, 36–37
security rules, 153–158
site permissions management, 226–227
Sun Java, 134–135, 157–158
XML browser applications (XBAP),
135–136
PNG file format, 83
pointers, management vulnerabilities, 266
poisoned browser cache, on trusted
network, 60
pop-under, 217
pop-up filtering, 217–218
ports
default, for protocols, overriding, 27
prohibited, 190–192
positioning windows, 219–222
postMessage(...) API, 144–145, 258
POST method (HTTP), 52, 81
postponing JavaScript execution, 101
Pragma: no-cache request header, 59
prerendering web page, 258–259
presentation, HTML tags for, 73
PresentationHost.exe, 135
pressed key, examining code of, 180
Presto parsing engine, 70n
printable characters, browser
treatment of, 32
privacy-related side channels, 184–185
private browsing modes, 249, 253
private value, for Cache-Control header, 59
privileges, site, 225–234
prohibited ports, 190–192
properties, definitions in CSS, 89
proposals
content-level, 258–259
I/O interfaces, 259
URL- and protocol-level, 256–257
protocol-host-port tuple, 142, 241
protocol-level information
encryption, 64–66
preserving, 78
protocol-level proposals, 256–257
protocols
claimed by third-party applications, 36–37
default ports for, overriding, 27
registration, 256
in URL scheme name, 24
proxy-originating error responses, browser
processing, 47
proxy requests, 46–47
pseudo-functions (CSS), 89
pseudo-protocols
encapsulating, 37–38
nonencapsulating, 37
pseudo-URLs, 23, 24, 165
restricted, 170–171
and same-origin policy, 161
public key cryptography, 64, 64n
Public Suffix List, 159
public value, for Cache-Control header, 59
public Wi-Fi networks, and HTTP
caching risk, 60
Punycode, 34
purging browser cache, 60
PUT request (HTTP), 53